SIEM Collector 11.0 Product Guide

User Manual:

Open the PDF directly: View PDF .
Page Count: 14

Download
Open PDF In Browser	View PDF

SIEM Collector - PRODUCT GUIDE
Summary
The McAfee SIEM Collector is host-based software that can be conﬁgured to send events to a McAfee ESM
with a Receiver. The SIEM Collector can be conﬁgured to send events from the local Windows machine or
from remote Windows machines.

Terms
MEF - McAfee Event Format: The protocol the SC uses to communicate with a Receiver.
ESM - Enterprise Security Manager: Interface for the SIEM solution.
EVT(EVTX) - A ﬁle extension for ﬁles created by the Windows Event Viewer. .evt is the older format and
.evtx the newer.
SIEM - Security Information Event Management
DNS - Domain Name Server
MSSQL - Microsoft SQL Server
WEF - Windows Event Forwarding.

RECEIVER CONFIGURATION
To change the settings of the Receiver that the SIEM Collector communicates with, open the SIEM Collector
conﬁguration utility and select the appropriate Receiver.

When the Receiver node is selected, the screen displays information regarding the Receiver to which the
event data is being sent. This includes the Receiver's IP address (must be a valid IP address), MEF port, and
the Network Adapter to use. It reﬂects the information that was entered when the Utility was installed.
If you don't know the target Receiver's IP address or MEF port, do the following to locate them:
1.
2.
3.
4.
5.

Log on to the ESM console.
Select the node of the target Receiver in the Navigation Tree.
Click on the Properties icon in the Actions Toolbar. The Receiver Properties screen will open.
Select Receiver Conﬁguration.
Select Interface. The IP address and MEF port will be listed on the screen.
MEF Port: This port value should be the same as the MEF Port that the Receiver is conﬁgured to
use.
Selected Network Adapter: If you want to select a speciﬁc network adapter to be used for

communicating with the Receiver, you can select it from this list.
Using SSL to encrypt log events sent to the Receiver:
If you want the event logs to be encrypted using SSL, this box should be checked. If you do check the
"encrypted" checkbox, you should also check the "Use encryption" checkbox for each receiver datasource
you create. (See Clients section for more help with encryption and encryption with host IDs)
Whenever a change to one of these ﬁelds is made, click Apply to save the changes and keep the Utility
open or click OK to save the changes and close the Utility. Clicking either of these buttons validates settings
and restarts the service if it is running.

GROUP CONFIGURATION
1. Launch the McAfee SIEM Collector Management Utility by navigating to Start -> All Programs -> McAfee
-> SIEM Collector Management Utility.
Select the "Receiver" node in the tree view on the left-hand side of the interface, and conﬁrm the
Receiver IP address and port value. Make changes as necessary.
Select the "SIEM Collector" node in the tree view. Click on the plus sign above the tree view to add a
new host group.

A host group is a container object that will contain hosts. One or more hosts can be added to a group
to ease management of a SIEM Collector conﬁguration that will remotely collect events from many
hosts.
Once you have clicked the "Add Group" button, a host group object will be created, and the properties
of the host group will be displayed in the right-hand panel. New groups are marked as Disabled by
default. A group must be enabled to collect from any hosts under that group.

On this screen you can change the name of your new host group and the credentials that will be used
for collection . Click "Apply" to save changes.
Credentials may be set at the Groups level and inherited by all child nodes in the group Individual
nodes can be changed to not use the group's credentials if desired.
Note: Credentials are only validated when the group has enabled clients. Failed validation
will disable the client/host.
The logging level may be set for the selected group. This setting is inherited by all of the group's child
nodes. Individual child nodes may be changed to not use the parent's settings.
With the host group selected, click the plus sign above the tree view to add a new host.
On the host properties screen on the right, type in the DNS name or IP address of the host you will be
collecting events from.
The Host is Disabled by default. The host must be enabled to collect from any of its clients.
Credentials are inherited from the parent group but may be over written.
Note : Credentials are only validated when the host has enabled clients. Failed validation
will disable the client/host.
The Logging Level is inherited from the parent group but may be over written.
Encryption settings are automatically established based on what the Receiver datasource is
conﬁgured with.
To add a new client, select a client type from the "Choose Client" drop-down box and then click "Add
Client".

CLIENTS
When adding a client, you must ﬁrst select the Host that you want to add the client to. The client type is
then determined through the dropdown:

ENCRYPTION
Enabling encryption with SSL between the SIEM Collector and the ESM requires both devices to have it
enabled.
ENCRYPTION WITH HOST IDS

In order to use encryption with host IDs it must be set up with one 'bridging' client that uses an IP address.
This opens the ﬁrewall for the connection and allows the receiver to connect with an encrypted connection.

Custom SQL
For collection from both MSSQL and Oracle databases, if the database credentials are not the same as the
credentials of the machine on which the database resides, the database credentials will need to be entered
in the "Credential" section of the "Host Conﬁguration" screen.
Installing Drivers

Oracle
Download the Instant Client Package - Basic version 11.2.x.x
Create a folder under C: called instantclient and un zip the drivers into the new folder
Open Control Panel -> System and Security -> System
Open Advanced system setting
Open Environment Variables...
Add "C:\instantclient;" (no quotes) to the path environment variable. The path recorded in the
environment variable needs to point to the Oracle directory that contains the "vc9" directory.

MSSQL
Install Microsoft® ODBC Driver for SQL Server®
Note: This will be different depending on your Windows version

After conﬁguring the database credentials, select "Custom SQL" from the client drop-down list and press
"Add Client". On the "Login to Database" screen as pictured above, the database type and security can be
selected. "Security" can be either "Windows Integrated Security", meaning the client will use the Windows
account credentials for the host as conﬁgured in the "Credential" section; or "Database Security", meaning
the client will use the database credentials as conﬁgured in the "Credential" section. Windows Integrated
Security authentication is currently only available for SQL Server connections.

Note: The bookmark field is used to determine which record in the table is used to track where
the last collection ended. Initially the bookmark is set to the latest record in the table, onl
y records after this point are collected.
After conﬁguring the login details, the "SQL Client" window appears. On this screen, the following ﬁelds can
be conﬁgured:
Name - Required . The name of the client.
Host ID - An ID that corresponds to a host ID associated with a datasource on the Receiver.
Forwarding Method - Determines if the events are sent as syslog over MEF or ﬁeld mapped as MEF.
Select a Database - Lists the databases available to collect from.
Select a Table/View - Lists the tables available to collect from in the selected database.
After selecting a database and table to collect from, a column must be selected to be used as the
bookmark, and columns must be selected to collect from. If "syslog" is selected as the forwarding method,

no further conﬁguration is needed. If "MEF" is selected as the forwarding method, the database columns
must be mapped to MEF ﬁelds. "Message" is the only required MEF ﬁeld and must be mapped to a column in
the selected table.

Generic Log Tail

Name - Required . The name of the client.
Host ID - An ID that corresponds to a host ID associated with a datasource on the Receiver.
Directory - Required . The path that the client will pull log ﬁles from. The directory ﬁeld can be entered
manually, or the ﬁle browser can be used to navigate to a path by clicking on the folder icon.
File Name - Required . The name of the ﬁle that the client will read. This can be a full ﬁle name (i.e.
"dhcp.log"), or use wildcards (i.e. "*.log" or "*").
Tail Mode - Determines whether the client will start reading the log from the top of the ﬁle or start from
the bottom with new events as they are written to the ﬁle.
Multi Line Events - Used to indicate whether or not the events in the log ﬁle span multiple lines or not.
Setting this ﬁeld will require setting a delimiter.
Delimiter - Determines what the client uses as the delimiter between events (i.e. "Linux" would split the
events whenever the word "Linux" is found, and "(?:\d{1,2}\/){2}\d{4}" would split the events every
time a date in the format MM/DD/YYYY is found). Leaving this ﬁeld blank will default to delimiting on
newlines.
Delimiter is a RegEx - Indicates whether or not the delimiter in the "Delimiter" ﬁeld is a regular
expression.
Max Lines Per Event - Indicates the maximum number of lines a multi-line event can span.

SQL Server C2 Audit Logs

Windows Events

Name - Required . The name of the client.
Host ID - An ID that corresponds to a host ID associated with a datasource on the Receiver.
Windows Logs - Required . A list of available logs on the machine. One or more must be selected to
collect from.
WEF Events - If checked, this indicates that the events are being forwarded from a remote machine
and changes the "From" location to the hostname of the machine that generated the event. If
unchecked, all events will show up on the Receiver showing a "From" location with the IP address of
the machine that transmitted the events to the Receiver. In most (if not all) cases this is used with the
"Forwarded Events" log.
Note: WEF events requires Windows Event Forwarding to be enabled between the Windows machi
nes.

Windows EVT Files

Sample Windows Client Conﬁgurations
Custom SQL

Generic Log Tail

SQL Server C2 Audit Logs

Windows Events

Windows EVT Files

ESM DATA SOURCE CONFIGURATION
The ESM Datasource type will depend on which SIEM Collector Client type is chosen to collect from.
Important : If your SIEM Collector is collecting logs from other sources you must create an ESM
Datasource for the IP Address that the SIEM Collector is transmitting from, or use the DHCP mas
k and host IDs.

Note : If a Host ID is used on the SIEM Collector then the ESM datasource may use the Host ID i
nstead of an IP Address. Host IDs are case sensitive. (See the Clients Encryption with host IDs
section for using this host IDs with encryption)

Custom SQL
Note : The Generic SQL may also be set up as a Generic Syslog Datasource.

Generic Log Tail

SQL Server C2 Audit Logs

Windows Events

Windows EVT Files
The Windows EVT Files client is setup the same as the Windows Events.

AutoLearn
See AutoLearn documentation to setup AutoLearning. Custom SQL may also use Syslog as the Autolearn
type.

CONFIGURATION FILE
The SIEM Collector generates a conﬁguration ﬁle (conﬁg.xml) when the application is installed using the
Windows installer. The main purpose of this ﬁle is to tell the Collector how and where data should be parsed.
It also can be used to perform a remote installation by being passed as an argument to msiexec. The
conﬁguration ﬁle is updated as changes are made within the Utility. The structure of the conﬁguration ﬁle
should look something similar to this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

This conﬁguration ﬁle can also be used to perform a remote installation of the SIEM Collector. Note that
when using the conﬁguration ﬁle to install the SIEM Collector remotely, it does not need a .xml extension.
The important thing is that the contents of the ﬁle are valid XML. However on the Windows machine itself the
Utility will speciﬁcally look for a conﬁg.xml ﬁle to load. It is possible to modify the XML manually instead of
using the Utility. Here is a list describing the XML nodes that the SIEM Collector uses for reference:
< EventCollectorConﬁg > - The root XML node.
LogLevel - Possible Values:
Error - Logs errors
Info - Same as Error but also logs related information
Warn - Same as Info but also logs warnings
Debug - Same as Warn but also logs debug information
Diagnostic - Same as Debug but also logs diagnostic information
MaxLogSize - The maximum size in bytes of the log ﬁle. When the maximum size is reached, the
new information will write over the oldest information. The debug ﬁle is called debug.log and is
stored in the directory where the Collector was installed
< Credentials/ > CredentialType - Possible values: OtherAccount, ParentSettings
Authenticated - Possible values: true, false
< Receiver/ > IPAddress - The IPAddress of the target Receiver
Port - The MEF port used by the target Receiver
Encrypt - Encrypt data sent to the Receiver. Possible values: true, false
AdapterIPAddress - IP of the network adapter being used
< HostGroup > Name - Name of the group
Enabled - Enable/Disable all hosts in the group. Possible values: true, false
UseParentLogging - Use credentials of the SIEM Collector node. Possible values: true, false
< Credentials/ > CredentialType - Possible values: OtherAccount, ParentSettings
Authenticated - Possible values: true, false
Username - Username of the Windows machine
Password - Password of the Windows machine
< Host > Enabled - Enable/Disable all hosts in the group. Possible values: true, false
LocalHost - Using local machine or not. Possible values: true, false
Host - The hostname/IP Address of the windows machine.
IsHostValid - Used by the Utility to show if the hosts are valid or not. Possible values: true, false

UseParentLogging - Use credentials of the host node. Possible values: true, false
< Client >
Enabled - Enable/Disable the host. Possible values: true, false
IsClientValid - Did the client successfully connect? Possible values: true, false
Name - Name of the client
ID - Unique ID generated by Utility
PluginType - Possible Values: WindowsEvent, MEF, Syslog
ClientType - Possible Values: WinEvent, WinEVT, C2Audit, LogTail
< Conﬁguration/ > - Client speciﬁc conﬁgurations
Key - Maps to the Value for a conﬁguration

TROUBLESHOOTING
SIEM Collector Utility
Does not boot and fails silently
If the XML of the conﬁg.xml ﬁle is not formatted properly the Utility will not load and will not display any error
messages. Check the XML and make sure all tags are closed properly.
Cannot Enable Client

1. You will need to enable the parent group.
2. You will need to enable the parent host.
Cannot Enable Host

1. You will need to enable the parent group.
Cannot Enable Client

Verify you have the correct host/ip.
Verify that the host/ip you are connecting to is powered on.
Verify that the username/password for this host/ip used is correctly.
Verify that the host/ip you are connecting to can get through the ﬁrewall.
Verify the host/ip is not behind a proxy.

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
XMP Toolkit                     : Adobe XMP Core 5.6-c015 81.157285, 2014/12/12-00:43:15
Create Date                     : 2016:02:17 00:31:22
Modify Date                     : 2016:06:17 09:16:28-05:00
Metadata Date                   : 2016:06:17 09:16:28-05:00
Producer                        : wkhtmltopdf
Format                          : application/pdf
Title                           : SIEM Collector 11.0 Product Guide
Creator                         : 
Document ID                     : uuid:dadf3d93-d171-4c26-953c-62763b4c1918
Instance ID                     : uuid:c60c9596-21a4-45b5-9db8-27163cfcf752
Page Count                      : 14
Warning                         : [Minor] Ignored duplicate Info dictionary

EXIF Metadata provided by EXIF.tools

SIEM Collector 11.0 Product Guide

Navigation menu

Versions of this User Manual:

Views

Navigation